Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - s0nic

Pages1
#1
21.7 Legacy Series / Indicator of compromise? Abnormal DNS requests...
August 31, 2021, 09:57:22 PM
I have enabled the DNS logging in unbound and I see requests that I would normaly assign to an IOC:

2021-08-31T21:32:59   unbound[33632]   [33632:2] info: 10.10.10.254 cfztcaysicnpglf.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:0] info: 10.10.10.254 cfztcaysicnpglf.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:1] info: 10.10.10.254 nbxrvgnirjdrd.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:3] info: 10.10.10.254 cfztcaysicnpglf.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:3] info: 10.10.10.254 nbxrvgnirjdrd.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:2] info: 10.10.10.254 nbxrvgnirjdrd.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:2] info: 10.10.10.254 cfztcaysicnpglf.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:0] info: 10.10.10.254 cfztcaysicnpglf.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:1] info: 10.10.10.254 nbxrvgnirjdrd.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:1] info: 10.10.10.254 noikwpgdnmdoz.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:3] info: 10.10.10.254 cfztcaysicnpglf.kaki. A IN
2021-08-31T21:32:59   unbound[33632]   [33632:2] info: 10.10.10.254 nbxrvgnirjdrd.kaki. A IN

Notes

  • No client has requested these addresses.
  • 10.10.10.254 = OpnSense LAN Interface
  • kaki = local domain (intranet) eg. server01.kaki
  • Only OpenVPN is offered via the WAN interface. No other ports have been opened on the WAN interface so far.
  • Only the following packages differ from the default installation:
    - os-etpro-telemetry (installed)
    - os-sensei (installed)
    - os-sunnyvalley (installed)


I've some questions:

  • Why does OpnSense use its LAN address for internal / its own DNS queries?
    ---> I also see other requests from OpnSense with 127.0.0.1, so why is it using 10.10.10.254?
  • What damn package or function is trying to resolve these domains here?
  • If it is a client, he must have spoofed the firewall LAN IP... but then... why does he ask for the domains without TLD?
#2
21.7 Legacy Series / Monit GUI is faulty (ignore content)
August 05, 2021, 08:37:57 PM
"ignore content" cannot be configured in the monit GUI of opnSense. I had to configure it manually in /usr/local/etc/monitrc and restart the service to get it to work....

check file NAS_Access with path "/var/log/suricata/eve.json"
   ignore content = "10.0.1.254"
   if content = "alert" then alert

---> https://mmonit.com/monit/documentation/monit.html#FILE-CONTENT-TEST
Pages1